Can You Outsmart the Frame-Busting Buster?

Frame Buster Buster: Defeating the Frame-Busting Resistance

You've implemented anti-framing JavaScript to prevent your site from being embedded within iframes. However, you've discovered a malicious code that can bypass your frame-busting efforts. This issue raises the intriguing question: Can you outsmart the frame-busting buster?

The attacker's code operates by incrementing a counter during page navigation attempts and using a timer to redirect the page to a remote server that responds with HTTP status code 204, effectively preventing navigation.

Defeating the Buster

While the anti-framing code can be bypassed, it is possible to regain control by defeating the counter and timer mechanisms employed by the attacker. Here's how:

Disable onbeforeunload Event

The onbeforeunload event is used by the attacker to increment the counter. To disable it, use:

window.onbeforeunload = null;

Suspend setInterval Timer

To suspend the setInterval timer, utilize the clearInterval function:

var intervalID = setInterval(function() {  
  // ...
}, 1);

clearInterval(intervalID);

Using X-Frame-Options

For major browsers, using the X-Frame-Options header can prevent framing even with script disabled. For example:

X-Frame-Options: SAMEORIGIN

The above is the detailed content of Can You Outsmart the Frame-Busting Buster?. For more information, please follow other related articles on the PHP Chinese website!